A high street and online shoe retailer has had a warning from the data protection watchdog after the personal data of over one million customers was left exposed due to a hacking incident.
The hacker managed to gain the potential to access Office customers’ contact details and website passwords (but not bank details) via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected. Office has signed an undertaking to ensure issues around the data breach are resolved.
Sally-Anne Poole, Group Manager at the Information Commissioner’s Office (ICO) said: “The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data. All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”
According to the ICO the data breach also highlights the risks associated with customers using the same password for all their online accounts. Sally-Anne Poole added: “This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”
Office has signed an undertaking to resolve the data security issues. As the undertaking put it, it would appear that the retention of this historic data, some of which may now be inaccurate, was over-cautious and not strictly required.
Comment
Jason Hart, VP Cloud Services, Identity and Data Protection, Gemalto (formerly SafeNet) said of the case: “Shoe retailer Office is just one in a long list of companies that faced a data breach resulting in the exposure of confidential customer details. In fact, last year there were more than 566 million customer data records stolen from retail companies worldwide. It’s not enough to rely on customers to use unique strong passwords. The Information Commissioner’s Office warning should be heeded by all companies that hold personal customer details for any period of time.
“It highlights the importance of adopting a secure breach approach that focuses on securing the data once intruders penetrate the perimeter defences. Being breached is no longer a question of “if” but “when. Breach prevention and threat monitoring alone will not keep the cyber criminals out anymore. This means companies need to adopt a data-centric view of digital threats starting with better access control techniques using multi-factor authentication measures and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.”
